When a client accesses a service from a client computer system, the client computer system establishes a communication link from the client computer system to a content server operated by a service provider. The content server is generally located in a data center operated by a service provider. The communication link can be established using one or more logical network connections. In some environments, the communication link between the client computer system and the content server is established as a single logical connection. But as the size and complexity of the service increases, this is not always practical or desirable. For example, a number of content servers may be used by the service provider to provide increased service capacity, and a TLS termination point such as a proxy may be placed between the content servers and clients. Service requests are sent from client computer system to the TLS termination point, and the TLS termination point distributes the service requests to the content servers based on server workload, resource matching, or other priorities.
The presence of load-balancing proxies, firewalls, or other intermediate network entities in the communication link between the client and the content server may complicate the use of secure transport protocols, such as transport layer security (“TLS”), or other protocols that use endpoint authentication. In the case of TLS, a communication link between the client computer system and the content server via an intermediate TLS termination point includes a first TLS connection between the client computer system and the TLS termination point, and a second logical connection (using TLS or another protocol), between the TLS termination point and the content server. When the first TLS connection is established, the TLS termination point provides a digital certificate belonging to the content server to the client computer system. In addition, the TLS termination point uses a private key associated with the digital certificate to exchange a master secret with the client computer system. To facilitate this, proxies (and other entities that terminate TLS/SSL connections on behalf of other entities such as content delivery networks (“CDNs”), Web application firewalls (“WAFs”), and distributed denial of service (“DDoS”) Protection services) retain a copy of the content server's digital certificate and private key on the TLS termination point. Securely maintaining digital certificates and private keys on intermediate entities is a difficult and challenging problem for service providers.